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(57) Abstract: In a method for distributing keys among a number of secure devices, the secure devices are divided into sets (A, B, 
C, D, E), each set having a plurality of subsets (a, b, c, d, e). Each subset comprises two or more secure devices having the same key 
which is unique for this subset. Each secure device is a member of a number of sets (A, B, C, D, E) such that two or more secure 
devices which are a member of a subset, are not a member of the same subset in another set. 
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Method for distributing keys among a number of secure de- 
vices, method for communicating with a number of secure de- 
vices, security system, and set of secure devices 



The invention relates to a method for distributing 
keys among a number of secure devices. The invention further 
relates to a method for communicating with a number of se- 
cure devices, to a security system in which this method is 
5 used, and to a set of secure devices obtained by the dis- 
tributing method. 

It is known to protect content against unauthorised 
copying by using conditional access like technology. The 
term content in the present application is used as an indi- 

10 cation of any type of information, such as audio or video 

signals, computer software etc. To protect the content, the 
content is scrambled using a control word. The term "control 
word" refers to the key which is used in the scrambling al- 
gorithm to scramble the content. The control word is gener- 

15 ally transferred to the descrambling location in an en- 
crypted message. In a consumer electronic system, such as 
for example a CD or DVD player or a PC, a secure device, 
such as a smart card, is used to decrypt the encrypted mes- 
sage to obtain the control word and the decrypted control 

2 0 word is used by the electronic system to descramble the con- 
tent. As a large number of secure devices is open to attack 
by hackers, it is not unlikely on the long term that the se- 
curity of a secure device will be breached so that the con- 
tent is available for unauthorized commercial purposes. In a 

2 5 commonly used method in conditional access systems, breaches 

of security are managed by distributing new keys which are 
used to encrypt the control word. However in particular in 
off-line circumstances, i.e. in case of distribution of 
scrambled content on CD's and DVD's, for example, such a 

3 0 distribution method can not be used. 
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The invention aims to provide a method for distrib- 
uting keys among a number of secure devices, which is in 
particular suitable for distributing keys in stored media 
applications . 

5 It is a further object of the invention to provide 

a method for communicating with a number of secure devices. 

The invention further aims to provide a method for 
scrambling a content and a method for descrambling a scram- 
bled content, in particular for use with stored media appli- 
10 cations. 

Moreover, it is an object of the invention to pro- 
vide a security system, in which these methods are used. 

Finally the invention aims to provide a set of se- 
cure devices obtained by the method for distributing keys. 

15 According to the invention a method for distribut- 

ing keys among a number of secure devices is provided, 
wherein the secure devices are divided into sets, each set 
having a plurality of subsets, each subset comprising two or 
more secure devices having the same key which is unique for 

2 0 this subset, wherein each secure device is a member of a 
number of sets such that two or more secure devices which 
are a member of a subset, are not a member of the same sub- 
set in another set . 

In this manner a method is obtained, wherein the 

25 secure devices will be provided with a number of keys, so 

that in case security of one secure device is breached, the 
keys stored in this secure device can be cancelled for fu- 
ture use so that this breached secure device is useless, 
while the other secure devices can use the remaining keys 

30 available to these secure devices. 

According to the invention the method for communi- 
cating with a number of secure devices, comprising providing 
a number of unique keys, said number of keys being divided 
into subsets (A, a; A, b ; . . . E, d; E , e) , providing a plurality of 

35 encrypted messages by encrypting at least one clear message 
using different keys of said number of keys, adding an iden- 
tifier to each encrypted message identifying the key used, 
wherein only a plurality of the available number of keys are 
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used to provide said encrypted messages, forwarding the en- 
crypted messages to the secure devices, and decrypting the 
encrypted message in the secure device to obtain the clear 
message . 

5 For scrambling a content for distribution among a 

number of users, the method of the invention comprises 
scrambling the content using a control word, wherein the 
control word is said clear message, wherein the scrambled 
content and the number of encrypted control messages are 

10 forwarded to all users. 

The method for descrambling a scrambled content of 
the invention, comprises receiving the scrambled content and 
receiving a plurality of encrypted control messages, each 
encrypted control message having an identifier and contain- 

15 ing a control word encrypted using a different key identi- 
fied by the corresponding identifier, retrieving a first key 
identifier from a secure device having a plurality of keys 
with key identifiers, searching for an encrypted control 
message having an identifier corresponding to the retrieved 

20 identifier and decrypting in the secure device the encrypted 
control message found to obtain the control word, and de- 
scrambling the scrambled content by using the control word. 

A security system of the invention comprises a plu- 
rality of terminals and a plurality of secure devices, each 

2 5 secure device comprising a processor and a memory for stor- 

ing keys, wherein the secure devices are divided into sets 
(A,B,C,D,E), each set having a plurality of subsets 
(a,b,c,d,e), each subset being assigned a unique key from a 

number of unique keys (A, a; A, b; . . . E, d;E, e) and each subset 

3 0 comprising two or more of the secure devices, wherein the 

memory of each secure device contains a plurality of keys 
unique to different subsets such that the memory of each se- 
cure device contains a unique combination of unique subset 
keys, each terminal comprising means for forwarding an en- 
3 5 crypted message to a secure device communicating with the 

terminal, wherein each encrypted message is obtained by en- 
crypting at least one clear message using different keys of 
said number of keys, adding an identifier to each encrypted 
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message identifying the key used, wherein only a plurality 
of the available number of keys are used to provide said en- 
crypted messages, and decrypting the encrypted message in 
the secure device to obtain the clear message for further 
5 use . 

Finally, the invention provides a set of secure de- 
vices, such as smart cards, each secure device comprising a 
processor and a memory for storing keys, wherein the secure 
devices are divided into sets, each set having a plurality 

10 of subsets, each subset being assigned a unique key and each 
subset comprising two or more of the secure devices, wherein 
the memory of each secure device contains a plurality of 
keys unique to different subsets such that the memory of 
each secure device contains a unique combination of unique 

15 subset keys. 

The invention will be further explained by refer- 
ence to the drawing. 

Fig. 1 schematically shows a content provider and a 
number of users of the content. 

20 Fig. 2 shows a system for descrambling a scrambled 

content with a secure device. 

Fig. 1 shows a content provider system 1 operating 
according to an embodiment of the method for scrambling a 
content according to the invention. The scrambled content is 

25 distributed among a number of users by means of a distribu- 
tion network 2. This distribution network 2 can be, for ex- 
ample, the Internet, a broadcast network or a number of 
shops selling CD's, DVD's or other storage media. Each user 
has a system 3 for descrambling the scrambled content co- 

3 0 operating with a secure device 4, such as a smart card. The 
system 3 can be part of a CD or DVD player, a PC or can be 
implemented by means of a suitable software program running 
on a microprocessor which is part of such equipment. 

In order to prevent unauthorized copying of the 

35 content provided by the system 1, a provider will scramble 

the content using a suitable scrambling algorithm, wherein a 
key is used to scramble this content. The key used to scram- 
ble the content will be indicated as control word in this 



WO 01/30018 



5 



PCT7EP00/09866 



description. The control word is delivered to the users as 
an encrypted control message or cryptogram. It is noted that 
this control message may contain further entitlement infor- 
mation such as number of uses of the content, period during 
5 which the content may be used or the like. This part of the 
control message is not part of the present invention and 
will not be described further. The control message is en- 
crypted using a key which is unique to the secure device 4 
of a restricted number of users only. The manner in which 
10 the keys are distributed among a number of secure devices 4 
will explained by reference to the following example. 
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As indicated in these tables, the secure devices 
are divided into sets A, 13,0,0 and E and each set has a plu- 
rality of subsets a,b,c,d and e. Subset A, a comprises secure 
devices #01-#05, subset A,b comprises secure devices #11- 
5 #15, subset A,c comprises secure devices #21-#25, subset A,d 
comprises secure devices #31-#35 and subset A,e comprises 
secure devices #41-#45. The secure devices of each subset 
receive the same unique key, for example the secure devices 
#01 -#05 of subset A, a receive the unique key A, a. This means 

10 that for example secure device #01 has the following set of 
unique keys A, a; B,a; C,a; D,a and E,a. As shown in the 
above tables, each secure device is a member of a number of 
sets A-E such that any two or more secure devices which are 
a member of a subset, are not a member of the same subset in 

15 another set. In this manner each secure device 4 will re- 
ceive a unique combination of subset keys. 

The keys are distributed among the secure devices 4 
when the secure devices are initialized. As shown in fig. 2, 
each secure device 4 comprises a processor 5 and a memory 6, 

2 0 wherein the unique combination of subset keys is stored in 
the memory 6 . 

The control word used by the provider system 1 to 
scramble the content is encrypted in this example using the 
keys of the first set A, i.e. the keys A, a, A,b ... A,e. 

25 This requires five encrypted control messages to be added to 
the content for distribution together with the content. A 
header with an identifier identifying the key used to en- 
crypt the control message is added to the control message. 

When the scrambled content is received by the sys- 

30 tern 3, descrambling of the content occurs as follows. When 
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the secure device 4 is connected to the descrambling system 
3, the processor 5 of the secure device 4 will forward the 
identifier of the first of its keys to a processor 7 of the 
descrambling system 3. The processor 7 receives the scram- 
bled content together with the encrypted control messages 
and will send the control message with a corresponding iden- 
tifier to the secure device 4 and the processor 5 will de- 
crypt the encrypted control message using the corresponding 
key from the memory 6. The decrypted control word will be 
forwarded to the processor 7 for descrambling the content 
and in this manner the clear content is obtained. 

If we assume that secure device #01 has been 
breached, the keys of the combination of keys stored in the 
memory 6 of this secure device should not be used anymore. 
This means that secure devices #02 -#05 need to be provided 
with encrypted control messages encrypted by using keys B,b, 
B,c, B,d and B,e, for example. In this manner it is obtained 
that the information on the keys stored on secure device #01 
is useless for the future. 

It is noted that in the example given, after 
breaching three secure devices, there may be legal secure 
devices, the keys of which would be exposed. These secure 
devices can still be provided with an encrypted control mes- 
sage by using a key that is unique to the corresponding se- 
cure device. In this respect it is noted that each secure 
device of the complete set of secure devices will generally 
be provided with a unique key for forwarding messages to 
each secure device, if necessary. Further it is noted that 
the number of encrypted control messages increases each time 
that the system is breached. Of course, the example given is 
just for illustration purposes. Generally a set of secure 
devices will include a much larger number of secure devices 
which are divided into more sets and subsets than in the ex- 
ample described . 

Further it is noted that further subdivisions into 
subsets, sub-subsets etc. can be made. Further, it is possi- 
ble to divide the secure devices into entirely independent 
super sets, wherein keys are distributed within a super set 



WO 01/30018 



PCT/EP00/09866 



according to the method described. 

In case wherein there is a regular online connec- 
tion with the provider system, it is possible that the pro- 
vider system 1 forwards a revocation message to all systems 
5 3. This revocation message informs the systems 3 of the fact 
that the keys of a secure device of which the security has 
been breached, will not be used anymore. By means of this 
information, the remaining legal secure devices 4 which are 
a member of the same subset, will use another key of their 

10 own unique combination of keys in future and will provide 
the corresponding identifier to the descrambling system 3. 
In this manner the descrambling system will forward the cor- 
rect encrypted control message to its secure device 4 . 

The invention can be advantageously used in any se- 

15 curity system comprising a plurality of terminals and a plu- 
rality of secure devices, in particular in off-line applica- 
tions. In case of terminals verifying a secure device by 
challenging the secure device to perform a cryptographic op- 
eration, for example in a zero knowledge protocol, the sys- 

20 tern operates as follows. A secret to be used in the zero 

knowledge protocol is encrypted using a key of the number of 
keys available in the system. The keys are distributed among 
the secure devices as described above. The encrypted secret 
is forwarded to the secure device with an identifier indi- 

25 eating the key to be used. If this key is available to the 
secure device, the secure device can decrypt the secret and 
can use this secret in the zero knowledge protocol. If a se- 
cure device is breached, the keys available to the breached 
device will not be used anymore and those legal secure de- 

3 0 vice having the same keys as the breached device can commu- 
nicate with the terminals by using another key of the keys 
available to these legal secure devices. 

The invention is not restricted to the above de- 
scribed embodiments which can be varied within a number of 

35 ways within the scope of the claims. 
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CLAIMS 

1. Method for distributing keys among a number of 
secure devices, wherein the secure devices are divided into 
sets (A,B,C,D,E), each set having a plurality of subsets 
(a,b,c,d,e), each subset comprising two or more secure de- 
5 vices having the same key which is unique for this subset, 
wherein each secure device is a member of a number of sets 
(A,B,C,D,E) such that two or more secure devices which are a 
member of a subset, are not a member of the same subset in 
another set . 

10 2. Method for communicating with a number of se- 

cure devices, comprising providing a number of unique keys, 
said number of keys being divided into subsets 
(A, a; A, b; . . . E, d; E, e) , providing a plurality of encrypted 
messages by encrypting at least one clear message using dif- 

15 ferent keys of said number of keys, adding an identifier to 
each encrypted message identifying the key used, wherein 
only a plurality of the available number of keys are used to 
provide said encrypted messages, forwarding the encrypted 
messages to the secure devices, and decrypting the encrypted 

2 0 message in the secure device to obtain the clear message. 

3. Method according to claim 2, used in a zero 
knowledge protocol, wherein the clear message is used by the 
secure device at least as part of a secret used in the zero 
knowledge protocol . 
25 4. Method according to claim 2 used for scrambling 

a content for distribution among a number of users, compris- 
ing scrambling the content using a control word, wherein the 
control word is said clear message, wherein the scrambled 
content and the number of encrypted control messages are 

3 0 forwarded to all users. 

5. Method according to claim 4, wherein a revoca- 
tion message is forwarded to all users, said message identi- 
fying a plurality of keys which are revoked from said number 
of keys . 

35 6. Method for descrambling a scrambled content, 

comprising receiving the scrambled content and receiving a 
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plurality of encrypted control messages, each encrypted con- 
trol message having an identifier and containing a control 
word encrypted using a different key identified by the cor- 
responding identifier, retrieving a first key identifier 
5 from a secure device having a plurality of keys with key 

identifiers, searching for an encrypted control message hav- 
ing an identifier corresponding to the retrieved identifier 
and decrypting in the secure device the encrypted control 
message found to obtain the control word, and descrambling 

10 the scrambled content by using the control word. 

7. Method according to claim 6, wherein a next key 
identifier is retrieved from the secure device if an en- 
crypted control message with the first retrieved key identi- 
fier can not be found. 

15 8. Security system, comprising a plurality of ter- 

minals and a plurality of secure devices, each secure device 
comprising a processor and a memory for storing keys, 
wherein the secure devices are divided into sets 
(A,B,C,D,E), each set having a plurality of subsets 

20 (a,b,c,d,e), each subset being assigned a unique key from a 
number of unique keys (A, a ; A, b ; . . . E , d; E, e) and each subset 
comprising two or more of the secure devices, wherein the 
memory of each secure device contains a plurality of keys 
unique to different subsets such that the memory of each se- 

25 cure device contains a unique combination of unique subset 
keys, each terminal comprising means for forwarding an en- 
crypted message to a secure device communicating with the 
terminal, wherein each encrypted message is obtained by en- 
crypting at least one clear message using different keys of 

30 said number of keys, adding an identifier to each encrypted 
message identifying the key used, wherein only a plurality 
of the available number of keys are used to provide said en- 
crypted messages, and decrypting the encrypted message in 
the secure device to obtain the clear message for further 

35 use. 

9. Set of secure devices, such as smart cards, 
each secure device comprising a processor and a memory for 
storing keys, wherein the secure devices are divided into 
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sets (A,B,C,D,E), each set having a plurality of subsets 
(a,b, c, d, e) , each subset being assigned a unique key and 
each subset comprising two or more of the secure devices, 
wherein the memory of each secure device contains a plural - 
5 ity of keys unique to different subsets such that the memory 
of each secure device contains a unique combination of 
unique subset keys . 
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